Odd thing is happening right now on 1 of our servers. Customer web-site was hacked. I disabled the web-site in ISPC but still the ps -panut shows this... Even after I restarted Apache (notice that there is no nginx installed on this server.) Edit: Reboot of the server closed the site.
Just for future cases: killall kills a process by name not by user, so it would have been Code: killall /usr/sbin/nginx Then, it is sometimes helpful to check what files a process uses with lsof -p In your case this would have been Code: lsof -p 14434 to check one of the processes. Have you verified that: - the /usr/sbin/nginx file is gone - no cron job was created by the user to re-infect the system - the website path itself contains no malicious scripts anymore ?
Looks like it was a DDoS Attack against PRODEPA. The file that /proc/ID/exe pointed to was perl. Kill -9 processID was tried it did not find anything to kill. I'm still wondering how ps -ef showed /usr/sbin/nginx when ther was no nginx anywhere in the server. Not even in the compromised web-site.
The process name ps shows can be faked. You can try with 'c' paramter to show real commands. Like Code: ps acux or something like that.
